Dan Kuykendall has posted a cross-site scripting tutorial over at the MightySeek podcast. If you don’t understand cross-site scripting or have a shaky understanding, I recommend it. Dan suggests that while listening you follow along in the show notes and actually try the attacks on a sandbox he’s set up at hackme.mightyseek.com. I didn’t do this, but if you’re new to XSS then it’s probably a good idea to learn by doing.